[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] tracking down ip
 Date:  Thu, 26 Jan 2006 12:08:25 -0500
On 1/26/06, James W. McKeand <james at mckeand dot biz> wrote:
> I believe (someone correct me) that there will only be an entry in the
> ARP table if a connection was established between the client and the
> m0n0wall. A UDP Broadcast is not a connection. The entry shows up in the
> logs, but that is just because something unusual has occurred (a machine
> is broadcasting on a different subnet than the m0n0wall LAN subnet)

yup.  It wouldn't ARP query unless it had something to return to that
host.  Dropped chatter isn't going to make it ARP query for that host.

I'd track down what it is by adding a 169.254.x.x/16 alias IP to a
machine, then ping that IP, get its MAC address from the ARP cache,
and find what switch port it's on through your switch's address table.
 That's assuming a managed switch.  Otherwise you'll have to figure it
out in some other fashion.  Looking up the vendor of the MAC address
might help narrow it down - http://coffer.com/mac_find